tag:blogger.com,1999:blog-7936586016742929815.post-71259255852720209102018-02-28T07:42:00.001-05:002018-02-28T07:42:39.234-05:00Hacker breaks into Telangana’s TSPost website, exposes flaw<div dir="ltr" style="text-align: left;" trbidi="on"><div style="text-align: justify;">Indian government sites are often criticized for their lack of cyber security and safety of people’s information. Pointing out a flaw in Telangana government’s NREGA portal, French hacker and independent security researcher Robert Baptiste hacked into the state government’s website.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">He reportedly contacted the site owners regarding the issue and after receiving no response for some time, published his results on social media.</div><br /><blockquote class="twitter-tweet" data-lang="en"><div dir="ltr" lang="en">In theory, a government website is very secure but in <a href="https://twitter.com/hashtag/India?src=hash&amp;ref_src=twsrc%5Etfw">#India</a> it's another story...<a href="https://t.co/88CKv3hM9q">https://t.co/88CKv3hM9q</a> is vulnerable to a basic SQL injection...🤦‍♂️ <a href="https://t.co/3x1lX1mCUp">pic.twitter.com/3x1lX1mCUp</a></div>— Elliot Alderson (@fs0c131y) <a href="https://twitter.com/fs0c131y/status/967828179074330624?ref_src=twsrc%5Etfw">February 25, 2018</a></blockquote><br /><div style="text-align: justify;"><script async="" charset="utf-8" src="https://platform.twitter.com/widgets.js"></script> The website (http://tspost.aponline.gov.in) was vulnerable to one of the most basic web hacking technique, an SQL injection. It has now gone offline in the wake of this news.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">“A basic SQL injection allows an attacker to access the database of the website,” Robert said. “To be clear, all the data on this website can be a dump. Telangana government officials say they are working to fix it. For this website, they have to hire decent web developers to protect it from attacks.”</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">TSPost, Telangana’s government benefit disbursement portal, contained the account details and Aadhaar numbers of over 56 lakh NREGA beneficiaries and 40 lakh beneficiaries of social security pensions.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Using the SQL injection, Robert was able to access not just the Aadhaar and account details from the website but also the API keys of UIDAI’s Aadhaar database, the access of which can enable anyone capable enough to make a fake Aadhaar app that could be uploaded to Google Playstore for malicious use.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">This is one of the many cases pointing out how vulnerable the Aadhaar system is to hacking and security breaches.</div></div>Kshitija Agrawalhttps://plus.google.com/108993801502459525051noreply@blogger.com